Current laws miss key points in protecting data

Current federal privacy laws fail to protect sensitive information and need amendments to keep pace with the evolving technology landscape, according to the Government Accountability Office.

The public sector consistently uses IT to collect, store and transmit personal information on individuals. But recently lawmakers and privacy advocates have raised the alarm that existing legislation for protecting that data may no longer be enough. What adds to the problem is agencies’ reliance on IT, which can put sensitive personal information at risk for leaks or misuse.

“While bringing significant benefits, this dependence on IT can also create vulnerabilities that can result in, among other things, the compromise of sensitive personal information through inappropriate use, modification or disclosure,” Gregory Wilshusen, GAO’s director of information security issues, testified before two Senate committees July 31.

Currently, the Privacy Act of 1974 and parts of the E-Government Act of 2002 govern federal collection or use of personally identifiable information. However, these laws only provide minimum requirements for agencies and don’t always protect PII and how it’s used and collected, Wilshusen said in his testimony before the Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia and the Committee on Homeland Security and Governmental Affairs.

Technological advances also add to the need for revamped legislation. While the Privacy Act applies to personal information residing on government systems, agencies’ use of commercial Web 2.0 tools prompt the question whether the law protects data gathered and stored by third parties.

GAO has made suggestions to Congress to consider revising both acts that deal with how government agencies handle personal information. Wilshusen said updated legislation need to include all PII collected, used and maintained by the federal government. Amendments should also address setting requirements to ensure the collection and use of PII is limited to a stated purpose.

Additionally, modified legislation should include additional mechanisms for notifying citizens about privacy protections by revising requirements for how public notices are made available. Currently, agencies have to post a notice in the Federal Register about data collection but some have questioned whether this is the most appropriate medium to notify citizens.

Another key element of protecting personal information is preventing data breaches, Wilshusen noted. Over the past six years, cases involving leaked or compromised sensitive data reported by federal agencies to the U.S. Computer Emergency Readiness Team increased nearly 680 percent.

“Incidents such as these illustrate that sensitive personally identifiable information remains at risk and that improved protections are needed to ensure the privacy of information collected by the government,” Wilshusen said.

In a 2006 report, GAO noted data breaches could be reduced by limiting how much data is collected and the number of individuals who have access to it. Technological measures such as encryption also helped in preventing incidents, as did adoption of a holistic security program.

However, while agencies can continue taking steps to prevent data breaches, incidents will continue to occur “and when they do it is critical that proper response policies and procedures be in place,” Wilshusen said.

Daniel Castro, senior analyst at the Information Technology & Innovation Foundation, told FCW he agreed the systems of record definition in the Privacy Act should be revised to cover PII and that privacy notices could be better structured and published more clearly on a website rather than in the Federal Register.

"I have some concerns with the recommendation to set more limits on the use of data," he said. "These types of restrictions may impede beneficial uses of information. Instead, more transparency and accountability would protect individual privacy while promoting innovation."

Castro also noted the GAO testimony didn't include the Electronic Communications Privacy Act , which governs how law enforcement can access private communications. "This is another area that should be updated," he added.

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.